Resolving DNS Queries Between VPCs and Your Network

When you create a VPC using Amazon VPC, you automatically get DNS resolution within
the VPC from Route 53 Resolver.
By default, Resolver answers DNS queries for VPC domain names such as domain names
for EC2 instances or ELB load balancers.
Resolver performs recursive lookups against public name servers for all other domain
names.

You can also configure DNS resolution between your VPC and your network over a Direct
Connect or VPN connection:

You can configure Resolver to forward queries that it receives from EC2 instances
in your VPCs to DNS resolvers
on your network. To forward selected queries, you create Resolver rules that specify
the domain names for the DNS queries
that you want to forward (such as example.com), and the IP addresses of the DNS
resolvers on your network that you want
to forward the queries to. If a query matches multiple rules (example.com, acme.example.com),
Resolver chooses the rule
with the most specific match (acme.example.com) and forwards the query to the
IP addresses that you specified in that rule.
For more information, see
How Route 53 Resolver Forwards DNS Queries from Your VPCs to Your Network.

Like Amazon VPC, Resolver is regional. In each region where you have VPCs, you can
choose whether to forward queries from your VPCs
to your network (outbound queries), from your network to your VPCs (inbound queries),
or both.

To use inbound or outbound forwarding, you create a Resolver endpoint in your VPC.
As part of the definition of an endpoint, you specify
the IP addresses that you want to forward inbound DNS queries to or the IP addresses
that you want outbound queries to originate from.
For each IP address that you specify, Resolver automatically creates a VPC elastic
network interface.

The following diagram shows the path of a DNS query from a DNS resolver on your network
to Route 53 Resolver.

The following diagram shows the path of a DNS query from an EC2 instance in one of
your VPCs to a DNS resolver on your network.

Using Rules to Control Which Queries Are Forwarded
to Your Network

You can categorize rules in a couple of ways. One way is by who creates the rules:

Autodefined rules – Resolver automatically creates autodefined rules and
associates the rules with your VPCs. Most of these rules apply to the AWS-specific
domain names that Resolver answers queries for.
For more information, see
Domain Names that Resolver Creates Autodefined Rules For.

Custom rules – You create custom rules and associate the rules with
VPCs. Currently, you can create only one type of custom rule, conditional forwarding
rules, also known as forwarding rules.
Forwarding rules cause Resolver to forward DNS queries from your VPCs to the
IP addresses for DNS resolvers on your network.

If you create a forwarding rule for the same domain as an autodefined rule, Resolver
forwards queries for that domain name
to DNS resolvers on your network based on the settings in the forwarding rule.

System rules – System rules cause Resolver to selectively override the behavior
that is defined in a forwarding rule. When you create a system rule, Resolver
resolves DNS queries for specified subdomains
that would otherwise be resolved by DNS resolvers on your network.

By default, forwarding rules apply to a domain name and all its subdomains. If you
want to forward queries for a domain
to a resolver on your network but you don't want to forward queries for some
subdomains, you create a system rule for the subdomains.
For example, if you create a forwarding rule for example.com but you don't want
to forward queries for acme.example.com, you create a
system rule and specify acme.example.com for the domain name.

Recursive rule – Resolver automatically creates a recursive rule named
Internet Resolver. This rule causes Route 53 Resolver to act as a recursive resolver for any domain
names
that you didn't create custom rules for and that Resolver didn't create autodefined
rules for. For information about how to
override this behavior, see "Forwarding All Queries to Your Network" later in
this topic.

You can create custom rules that apply to specific domain names (yours or most AWS
domain names), to public AWS domains names, or
to all domain names.

Forwarding queries for specific domain names to your network

To forward queries for a specific domain name, such as example.com, to your network,
you create a rule and
specify that domain name. You also specify the IP addresses of the DNS resolvers
on your network that you want to forward
the queries to. You then associate each rule with the VPCs for which you want
to forward DNS queries to your network.
For example, you can create separate rules for example.com, example.org, and
example.net. Then you can associate the rules
with the VPCs in an AWS Region in any combination.

Forwarding queries for amazonaws.com to your network

The domain name amazonaws.com is the public domain name for AWS resources such as
EC2 instances and S3 buckets.
If you want to forward queries for amazonaws.com to your network, create a rule,
specify amazonaws.com for the domain name,
and specify Forward for the rule type.

Note

Resolver doesn't automatically forward DNS queries for some amazonaws.com subdomains
even if you create a
forwarding rule for amazonaws.com. For more information, see
Domain Names that Resolver Creates Autodefined Rules For. For information about how to override
this behavior, see "Forwarding All Queries to Your Network," immediately following.

Forwarding all queries to your network

If you want to forward all queries to your network, you create a rule, specify "."
(dot) for the domain name,
and associate the rule with the VPCs for which you want to forward all DNS
queries to your network.
Resolver still doesn't forward all DNS queries to your network because using
a DNS resolver outside of AWS would break
some functionality. For example, some internal AWS domain names have internal
IP address ranges that aren't accessible
from outside of AWS. For a list of the domain names for which queries aren't
forwarded to your network when you
create a rule for ".", see
Domain Names that Resolver Creates Autodefined Rules For.

If you want to try forwarding DNS queries for all domain names to your network, including
the domain names
that are excluded from forwarding by default, you can create a "." rule and
do one of the following:

If you forward all domain names to your network, including the domain names that Resolver
excludes when you create
a "." rule, some features might stop working.

How Resolver Determines Whether the Domain Name
in a Query Matches Any Rules

Route 53 Resolver compares the domain name in the DNS query with the domain name in
the rules that are associated with the
VPC that the query originated from. Resolver considers the domain names to match
in the following cases:

The domain names match exactly

The domain name in the query is a subdomain of the domain name in the rule

For example, if the domain name in the rule is acme.example.com, Resolver considers
the following domain names in a
DNS query to be a match:

acme.example.com

zenith.acme.example.com

The following domain names are not a match:

example.com

nadir.example.com

If the domain name in a query matches the domain name in more than one rule (such
as example.com and www.example.com),
Resolver routes outbound DNS queries using the rule that contains the most specific
domain name (www.example.com).

How Resolver Determines Where to Forward
DNS Queries

When an application that runs on an EC2 instance in a VPC submits a DNS query, Route
53 Resolver performs the following steps:

Resolver checks for domain names in rules.

If the domain name in a query matches the domain name in a rule, Resolver forwards
the query to the IP address
that you specified when you created the outbound endpoint. The outbound endpoint
then forwards the query to the
IP addresses of resolvers on your network, which you specified when you created
the rule.

If the domain name in a query doesn't match the domain name in any other rules, Resolver
forwards the query based on
the settings in the autodefined "." (dot) rule. The dot rule applies to all
domain names except some AWS internal domain names and
record names in private hosted zones. This rule causes Resolver to forward DNS
queries to public name servers if the
domain names in queries don't match any names in your custom forwarding rules.
If you want to forward all queries to the
DNS resolvers on your network, you can create a custom forwarding rule, specify
"." for the domain name, specify
Forwarding for Type, and specify the IP addresses of those resolvers.

Resolver returns the response to the application that submitted the query.

Using Rules in Multiple Regions

Route 53 Resolver is a regional service, so objects that you create in one AWS Region
are available only in that Region.
To use the same rule in more than one Region, you must create the rule in each
Region.

For publicly reserved domain names (such as localhost and 10.in-addr.arpa), DNS best
practices recommend
that queries are answered locally instead of being forwarded to public name
servers. See
RFC 6303, Locally Served DNS Zones.

To override the default behavior for autodefined rules, you can create conditional
forwarding rules.

Resolver creates the following autodefined rules.

Rules for private hosted zones

For each private hosted zone that you associate with a VPC, Resolver creates a rule
and associates it with
the VPC. If you associate the private hosted zone with multiple VPCs, Resolver
associates the rule with the same VPCs.

The rule has a type of Forward.

Rules for various AWS internal domain names

All rules for the internal domain names in this section have a type of Forward. Resolver
forwards DNS queries for these domain names to the authoritative name servers
for the VPC.

Resolver creates the following autodefined rules and associates them with a VPC when
you set the enableDnsHostnames flag
for the VPC to true:

Region-name.compute.internal, for example, eu-west-1.compute.internal.
The us-east-1 Region doesn't use this domain name.

Region-name.compute.amazon-domain-name, for example,
eu-west-1.compute.amazonaws.com or cn-north-1.compute.amazonaws.com.cn.
The us-east-1 Region doesn't use this domain name.

ec2.internal. Only the us-east-1 Region uses this domain name.

compute-1.internal. Only the us-east-1 Region uses this domain name.

compute-1.amazonaws.com. Only the us-east-1 Region uses this domain name.

The following autodefined rules are for the reverse DNS lookup for the rules that
Resolver creates when you set the
enableDnsHostnames flag to true. They're created at the same time:

10.in-addr.arpa

16.172.in-addr.arpa through 31.172.in-addr.arpa

168.192.in-addr.arpa

254.169.254.169.in-addr.arpa

The following autodefined rules, for localhost-related domains, also are created and
associated with a VPC when you
set the enableDnsHostnames flag for the VPC to true:

If you add an IPv4 CIDR block to a VPC, Resolver adds an autodefined rule for the
new IP address range.

If the other VPC is in another Region, the following domain names:

Region-name.compute.internal.
The us-east-1 Region doesn't use this domain name.

Region-name.compute.amazon-domain-name.
The us-east-1 Region doesn't use this domain name.

ec2.internal. Only the us-east-1 Region uses this domain name.

compute-1.amazonaws.com. Only the us-east-1 Region uses this domain name.

A rule for all other domains

Resolver creates a "." (dot) rule that applies to all domain names that aren't specified
earlier in this topic.
The "." rule has a type of Recursive, which means that the rule causes Resolver to act as a recursive resolver.

Considerations When Creating Inbound and Outbound Endpoints

Before you create inbound and outbound Resolver endpoints in an AWS Region, consider
the following issues:

Number of inbound and outbound endpoints in each AWS Region

When you want to integrate DNS for the VPCs in an AWS Region with DNS for your network,
you typically need one
Resolver inbound endpoint (for DNS queries that you're forwarding to your VPCs)
and one outbound endpoint (for queries that you're
forwarding from your VPCs to your network). You can create multiple inbound endpoints
and multiple outbound endpoints, but
one endpoint is sufficient to handle the DNS queries in either direction. Note
the following:

For each Resolver endpoint, you specify two or more IP addresses in different Availability
Zones. Each IP address
in an endpoint can handle a large number of DNS queries per second. (For the
current limit on the number of queries per second
per IP address in an endpoint, see Limits on Route 53 Resolver.)
If you need Resolver to handle more queries, you can add more IP addresses
to your existing endpoint instead of
adding another endpoint.

Resolver pricing is based on the number of IP addresses in your endpoints and on the
number of DNS queries
that the endpoint processes. Each endpoint includes a minimum of two IP addresses.
For more information about Resolver pricing,
see Amazon Route 53 Pricing.

Each rule specifies the outbound endpoint that DNS queries are forwarded from. If
you create
multiple outbound endpoints in an AWS Region and you want to associate some
or all Resolver rules with every VPC,
you need to create multiple copies of those rules.

Using the same VPC for inbound and outbound endpoints

You can create inbound and outbound endpoints in the same VPC or in different VPCs
in the same Region.

Inbound endpoints and private hosted zones

If you want Resolver to resolve inbound DNS queries using records in a private hosted
zone, associate the
private hosted zone with the VPC that you created the inbound endpoint in. For
information about associating private hosted zones
with VPCs, see Working with Private Hosted Zones.

VPC peering

You can use any VPC in an AWS Region for an inbound or an outbound endpoint regardless
of whether the VPC
that you choose is peered with other VPCs. For more information, see
Amazon Virtual Private Cloud VPC Peering.

Connection between your network and the VPCs that you create endpoints in

You must have one of the following connections between your network and the VPCs that
you create endpoints in:

Inbound endpoints – You must set up either an
AWS Direct Connect connection or a
VPN connection between your network and each VPC
that you create an inbound endpoint for.

When you create a rule, you specify the outbound endpoint that you want Resolver to
use to forward DNS queries
to your network. If you share the rule with another AWS account, you also indirectly
share the outbound endpoint that you specify
in the rule. If you used more than one AWS account to create VPCs in an AWS Region,
you can do the following:

Create one outbound endpoint in the Region.

Create rules using one AWS account.

Share the rules with all the AWS accounts that created VPCs in the Region.

This allows you to use one outbound endpoint in a Region to forward DNS queries to
your network from multiple VPCs
even if the VPCs were created using different AWS accounts.

Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's
Help pages for instructions.